MongoDB Ransom Attacks Infected 26,000 new Victims

Last week, MongoDB database saw new ransom attack by group of three new groups in which totally 26,000 servers got infected out of which a single group hijacked more than 22,000 servers. Way back in December 2016 to January 2017, similar MongoDB attacks occurred. The recent attacks have been detected by security researchers “Dylan Katz and Victor Gevers” and this is most probably the continuation of same attack. During those attacks, the cyber-criminals used to thoroughly scan the Internet in search for the open MongoDB database which has security vulnerabilities for external connections. They wiped out their contents and later demanded for high ransom amount. The data which cyber-criminals exposed were Test Systems but many companies got manipulated by this scam and agreed to pay the ransom money. Later, they realized that they have been scammed as the cyber-criminals never had their data.

Newly MongoDB Hijack Discovered

Security researchers have detected a recent attack where more than 45,000 databases were attacked. The researchers tracked these attacks by using Google Docs spreadsheet. The server technologies like MySQL, Hadoop, Cassandra, ElasticSearch, CouchDB also got infected with ransom after MongoDB attack. Last week, three groups got detected based on the email address provided on the ransom note. The first one is cru3lty@safe-mail.net whose ransom demand is O.2 BTC and it has about 22,449 victims. The next is wolsec@secmail.pro which demands for 0.05 BTC and it has 3,516 victims. The last is mongodb@tfwno.gf which demands for 0.15 BTC and has 839 victims.

The number of attackers has decreased as compared to last few months but their impact has been much more severe. In just a month, the group of three cyber-hackers managed to attack MongoDB and racked up 45,000 ransomed DBs. According to “Gevers”, he has seen many cases when DB got hijacked by hackers and victims used a database copy from backup but the cyber-groups once again attacked the server on same day. The victim totally failed to secure the DB.